Searching for trust in cryptography


There have been many articles of late regarding the subversion of the secure socket layer (SSL) and how it can be practically achieved.

Not only are the implications of this subversion profound for online activity with high-security requirements, such as e-commerce, currently there is no 'patch' or 'fix' that can be applied to achieve trust or in this case lack of trust.

At the root of this issue is the fact that 'trusted' Certificate Authorities or CAs are embedded in the browsers we use. These CAs issue certificates that are utilised by end users to authenticate the site they visit.

If a CA can be coerced to issue a fake certificate or if the CA is a government agency (there are a few in browsers), then they can perpetrate a 'man in the middle' attack without the knowledge of the end user. To make matters worse, if a CA can be coerced into issuing a 'trusted' intermediate CA certificate to such an agency, then the whole process can be dynamically automated, generating trusted site certificates ‘on the fly’.

In this case, any familiarity that a user has with the green bar in their browser displaying the CA name is fully exploited to fool the end user. Only deep inspection of the certificate can reveal any anomalies worthy of further investigation, a process that is not within the inclination or abilities of most end users.

What does trust have to do with cryptography? Well, in the example above, cryptography serves as a well-placed solution. SSL is doing exactly what it’s supposed to be doing and the cryptography is sound.

The issue is one of the ‘trust anchor’. In this case it’s the CAs that are allowed into the browsers in the first place. There are many, and they are there because the web browsers charge a large amount to be included in the trusted CA list. CAs are just like any other commercial organisation that can be compelled by a government agency to 'cooperate with the authorities' whether they like it or not.

The trust base is wide as there are hundreds of CAs in most commercial browsers and therefore it’s quite difficult to limit this exposure. The problem is simply one of 'trust'.

The success of SSL has been primarily due to its secure, ubiquitous and transparent nature, and only when there is a problem does the SSL report back with an error.

The above mentioned attack is a significant threat to the general purpose and use of SSL. Unless users are inclined to perform a deep inspection of the certificate chain, they would be completely oblivious to this attack, unknowingly divulging sensitive personal information with every click.

The best defence is education. Get the word out and let's all start being even more careful when browsing!

"Recommended For You"

Google warns Iranians were Gmail attack targets EFF, Mozilla back new certificate authority that will offer free SSL certificates